Office for Human Research Protections (OHRP)
Secretary's Advisory Committee on Human Research Protections (SACHRP)
The Privacy Rule defines "public health authority" as "an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate." (Emphasis added.) This definition is further refined by the provision in the Privacy Rule that permits disclosure without authorization of PHI to public health authorities if the public health authority "is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority." (Emphasis added.)
In light of the circumscribed scope of the public health reporting exception, many Covered Entities have been hesitant to disclose information to a range of federal and state agencies that do not appear to meet the technical definition of a public health authority because they are not necessarily expressly authorized by law to collect PHI for the stated purposes. SACHRP has received some reports, for example, of Covered Entities' reluctance to disclose PHI to the Department's Agency for Healthcare Research and Quality (AHRQ). Notwithstanding the important quality assurance and public health research conducted by these agencies, to the extent they fall outside of the public health reporting exception, Covered Entities are required to seek individual authorization from each individual patient from whom PHI would otherwise be disclosed, or to proceed on an institution-by-institution basis with seeking waivers from individual IRBs.